Lewis Bergman wrote:
Matthew Schumacher wrote:
Lewis Bergman wrote:
Matthew Schumacher wrote:
I'm getting accounting messages like these that seem to be coming from the loopback interface, but `tcpdump -i lo` doesn't see them so they are not coming from a local client. If they are not coming from a local client then how can I figure out where they are coming from?
Thu Jan 12 07:19:58 2006 Acct-Status-Type = Stop NAS-IP-Address = x.x.x.x (legit nas IP) Acct-Delay-Time = 0 User-Name = "user" NAS-Port = 536936515 Acct-Session-Id = "0A000067" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x (legit Framed-IP-Address) Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = "1cc41474b27ed376" Timestamp = 1137082798
I assumed when you marked the NAS ip as legit, that the actual value in that field is a legit IP that you have listed in your clients.conf file. If that is the case, then that is where the packet originated from. My NAS's report the client IP as the NAS address if I log in from the network. Login-IP-Host = <ip of router> Client-IP-Address = <IP of NAS IP>
I think I remember if I logged in from the console port that it reports the Client address as the loopback.
According to the freeradius documentation and the code the Client-IP-Address attribute always records the source address of the packet, and the NAS-IP-Address is provided by the NAS, and if it isn't freeradius puts in the source address. This means that the log above states that a packet with the NAS-IP-Address of a legit nas was sourced from 127.0.0.1 which is not possible since I don't have a client running on the local machine which is confirmed by the lack of packets shown in tcpdump. At this point I am starting to think there is a bug in freeradius where the Client-IP-Address gets recorded incorrectly. If you login to the serial port of your nas then you could see the NAS-IP-Address as 127.0.0.1 but you should never see a Client-IP-Address of 127.0.0.1 unless the client sourced it's packet from the radius servers loopback interface. schu